Update CA2241 to handle cases from IDE0043

[Evangelink]

Fix #1254

[Evangelink]

We may want to report with a different diagnostic (message + desc).

[jmarolf]

I think, since we are saying we want to break with legacy FxCop behavior that introducing a new, more specific warning message would be nice.

[Evangelink]

I would still keep the same rule ID except if you think that's valuable to let users disable some part of the rule (I don't see the need as I don't expect much FPs).

[Evangelink]

I was tempted to update the code to handle these cases but I was a bit worried about the perf impact of analyzing the extra overloads. Let me know what you think.

[jmarolf]

I would go ahead and handle them.

[codecov]

Codecov Report

❌ Patch coverage is 99.15254% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 95.83%. Comparing base (5f3a4ce) to head (9003d4f).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4226      +/-   ##
==========================================
+ Coverage   95.81%   95.83%   +0.02%     
==========================================
  Files        1170     1170              
  Lines      266447   266951     +504     
  Branches    16050    16051       +1     
==========================================
+ Hits       255293   255836     +543     
+ Misses       9102     9087      -15     
+ Partials     2052     2028      -24     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mavasani]

@jmarolf You have the most context on this analyzer. Can you please review?

[Evangelink]

@mavasani @jmarolf I think I need to rewrite the analyzer to use the regex as suggested in the ticket but I am fine with having a first review to start with, it shouldn't change much the main portion of the code.

[jmarolf]

I would extract this to a helper class and add unit tests explicitly for it. If we are going to maintain our own fork of the mscorlib parser code we should have tests to document its behavior.

[jmarolf]

Can we add a test for __arglist?

[Evangelink]

Do you mean an empty arglist? We have some tests with __arglist(5)

[jmarolf]

yep

[Evangelink]

I am not sure how to get it to work, I was expecting the following to be good but that's not the case:

public void M(__arglist)
{
    System.Console.WriteLine("", __arglist);
}

[jmarolf]

looks good! I would appreciate it if we could add a few more tests while we are here and I think having a separate, more descriptive diagnostic message would be nice

[Evangelink]

Do we want to add how many params are expected and how many were passed?

[jmarolf]

This sounds like a great idea

[Evangelink]

I don't know if it brings much to add the missing indexes, WDYT?

[jmarolf]

Considering we will "squiggle" the entire thing I think some text explaining how to fix what is wrong would help. Saying

"Some string format items are missing from this formatting method call. Nothing was passed for index '0'"

[Evangelink]

I don't think there is a need for a different ID (i.e. being able to activate one behavior without the other).

[jmarolf]

I think that users may want to configure different severities for these rules which would necessitate a different ID.

• having too few parameters, run time error, should be a warning
• having too many parameters, not a runtime error, should probably be info by default

[Evangelink]

Not sure if it's better to use the compiled regex here. It's not present in IDE0043 so I am assuming this was a conscious call.

[jmarolf]

compiling the regex has binary size implications in visual studio which we are very paranoid about. Having the regex be precompiled here is fine.

[Evangelink]

This filter was suggested but not present in the original implementation. Let me know if you prefer to revert this.

[jmarolf]

I am fine with this change

[Evangelink]

Do we want to report only on the string parameter?

[Evangelink]

There is an extra user option available in IDE0043, do we want to integrate it?

[jmarolf]

There is an extra user option available in IDE0043, do we want to integrate it?

If you have the time, I would love that. I think each of these options should be a different diagnostic Id that the user can configure independently.

[jmarolf]

@mavasani I would like providing too few parameters (which will cause a runtime error) to be enabled as a warning for analysis level 6. Do you have any objections?

[mavasani]

@mavasani I would like providing too few parameters (which will cause a runtime error) to be enabled as a warning for analysis level 6. Do you have any objections?

Sounds reasonable. However, lets follow a process for promoting any CA rule to a warning:

1. Create a separate design issue for the proposal
2. Discuss it via a design meeting with NetAnalyzers v-team OR get confirmation via email
3. Run the analyzer over dotnet/roslyn and dotnet/runtime to get confidence on no false positives and acceptable performance
4. Open a PR to promote it as a warning
5. File a doc issue on dotnet/docs to document breaking change in net6.0

[jmarolf]

@mavasani sounds like a plan. Looking over my notes from the last meeting I believe this has already been approved, but I agree let's not put foist those additional requirements on this PR. I'll create a follow up PR after this is merged.

[mavasani]

I'll create a follow up PR after this is merged.

As part of that we should also bump the analyzer to warning in dotnet/roslyn and dotnet/runtime and confirm no false positives and acceptable performance. I think that should be our miniumn quality gate before bumping up a rule to a warning.

[Evangelink]

I am working on the various open comment but I have a side question regarding the descriptors we want to create, basically we have the following use-cases:

1. Not enough args compared for well-known string format methods (overload with expected arguments)
   a. Console.WriteLine("{0} {1}", 42); -> causes runtime failure = Descriptor1 (e.g. NotEnoughArgsRule)
   b. Console.WriteLine("{1}", 42); -> causes runtime failure = Descriptor1 (e.g. NotEnoughArgsRule) but maybe also Descriptor2 (e.g. NotEnoughArgsMissingFormatItemRule). In this case we might want Descriptor2 to have the same ID as 1 but with a different message. I wouldn't report 2 diag on this line because we don't know what's the correct fix (i.e. it could be change 1 to 0 or add one more parameter).

2. Not enough args compared for well-known string format methods (overload without expected arguments). For example, Console.WriteLine("{0} {1}") or Console.WriteLine("{1}"), there is no runtime error so we probably want to use Descriptor3 (e.g. FormatItemInNonStringFormatMethodRule) and maybe Descriptor4 (e.g. FormatItemInNonStringFormatMethodMissingFormatItemRule) for the case with the missing {0}.

3. Correct number of args but missing format item (e.g. Console.WriteLine("{1}", 1, 2)) -> Descriptor5 (e.g. EnoughArgsMissingFormatItemRule).

4. Too many args for well-known string format methods. For example, Console.WriteLine("{0}", 1, 2) -> Descriptor6 (e.g. TooManyArgsRule) and for Console.WriteLine("{1}", 1, 2, 3) Descriptor7 (e.g. TooManyArgsMissingFormatItemRule).

In addition to the previous cases, there is a user option to provide additional string format methods, shall we reuse the previous descriptors or create a new set of them? Especially for case 1, where we are not sure if these additional methods will cause the runtime error so we might not want them to be raised as Warning by default.

Regarding the user-option available in roslyn - IDE0043 looking at the tests it seems that this is used to validate what I have called missing format item here. Do we want to keep this as a separate option?

[Evangelink]

I am wondering what can be done in term of diagnostic ID, I mean could we depreciate an old ID? I'd like to avoid having a too big gap between the 2 analyzers ID. The next available ID is CA2250. Except if we want to have 2 separate categories too.

I am also wondering if we want to simply bail-out for C# varargs or if we still want to report for missing format indexes? Related to this subject, I would need help for the syntax of the empty __arglist, I cannot make it compile.

I will push a WIP soon, here are the remaining steps:

1. Change location of the diagnostics
2. Update all title, message and descriptions
3. Add support for detection of format items in overload without the format string argument
4. Ensure I have ported all the editorconfig from CA2241 and IDE0043

[mavasani]

@Evangelink Let's not deprecate CA2241 ID, let's just repurpose it for one of the new buckets. Microsoft.CodeAnalysis.FxCopAnalyzers is soon going to be deprecated in favor of Microsoft.CodeAnalysis.NetAnalyzers, and we do not need to preserve any backcompat behavior from FxCop in the latter, so I wouldn't worry about breaking changes in CA2241.

[Evangelink]

It just feels a little weird as a user to have two really related rules so separated while I don't see much people who wouldn't both running.

[mavasani]

It just feels a little weird as a user to have two really related rules so separated while I don't see much people who wouldn't both running.

We already have multiple such cases, so it should be fine. Rule IDs should essentially be considered opaque.

[Evangelink]

@jmarolf @mavasani Do we have some kind of built-in mechanism I can rely on to fix this? Otherwise I think I will need to return the list of diagnostic allowed and use this at the time where I report.

[jmarolf]

@sharwell as he is the expert on test framework helpers. I am not aware of one.

[Evangelink]

I am tempted to have a separate set of descriptors for these cases (they will use CA2241 as the too many cases) because we are not sure these will lead to runtime failure as this is a custom implementation.

[jmarolf]

I would be fine with not issuing these diagnostics at all to start. Yes, historically we've done this but and I can see the utility but I would not turn these on for folks by default. This is always going to be something that you need to opt into. I like the idea of having a separate ID for custom methods so folks can still get these warnings on their custom loggers.

[Evangelink]

Same comment regarding the separate descriptors.

[jmarolf]

yep, lets add a new descriptor for this case.

[Evangelink]

@jmarolf so on these cases I need to report on all extra args, is it right?

[jmarolf]

I think thats what we want. Once we get the preview out for .NET 6 well see if feedback directs us to change this.

[Evangelink]

@jmarolf here I need to report on all extra args + somewhere for the missing format indexes (any suggestion?)

[jmarolf]

for this case I think the most useful location would be 1, and 3 indicating that these are unused.

[Evangelink]

Here I highlight all format indexes without associated args, right?

[jmarolf]

That would be my preference

[Evangelink]

How to highlight the missing indexes?

[jmarolf]

In this case I think we want to have a diagnostic on , 1 and say that is will not be used.

[mavasani]

@jmarolf Would be you able to review the latest commit and answer @Evangelink's questions?

[jmarolf]

@mavasani I'll review this after lunch, thanks for the ping

[jmarolf]

@Evangelink done with review pass, please ping me if I missed something.

[Evangelink]

@jmarolf Thank you for the various feedback! I will try to work on the pending changes by the end of the week (I might need a bit of time to get back to what's done and what's left to do, it's no longer really fresh in my mind).

[mavasani]

Please retarget this PR to https://github.com/dotnet/roslyn-analyzers/tree/release/6.0.1xx-preview1

[jmarolf]

@Evangelink gentle ping, do you have time to retarget this?

[Evangelink]

@jmarolf I will try to finish this PR by the end of next week. Looking back at it, there is still a lot of work to do.

[mavasani]

@Evangelink Would you have time to proceed further on this PR? Thanks!

[Youssef1313]

Were all rules supported by FxCop?

Removing stale PR block

[Youssef1313]

Ping @Evangelink